The reform of the EU data protection regulation

May 2013 - January 2017
around 15,000 € in kind
Funding organization: 


Person(s) in charge: 

Alessandro Mantelero (Project manager)

Executive summary: 

The increasing demand for data protection due to new technological applications and the necessity to reinforce user's trust in services provided by the public and private sector is inducing legislators to approve data protection laws or amend the existing regulations in order to adapt them to the technological evolution and new challenges.
In this context the US and EU regulations have a central role due to the dimension of their marketplaces and the consequent impact of data protection on consumer protection. From this perspective, the impact of the EU Proposal on data protection regulation should be analyzed in order to evaluate its effect on online user's behavior and, consequently, on business strategies.


In 2012, the European Commission proposed a reform of the EU legal framework on data protection. The EU proposal for a general data protection regulation represents an evolution of the existing EU model, derived from the adoption of the Directive 95/46/EC in each Member State. The proposal intends to grant a higher level of protection and a more homogeneous processing of data.
The Proposal shifts the focus of the regulation from users’ self-determination to accountability and risk assessment (e.g,. data protection impact assessment, privacy by design). Nevertheless the “notice and choice” model remains a fundamental aspect of the new framework.


Last Update: 2014-05-30; Next Expected Update: 2015-03-31

1. Analyze the ongoing debate on the new proposal in the different stages of the legislative process.

2. Assess the impact of the future regulation on the social and economic context.

3. Consider the limits of the EU proposal and the issues that are not adequately addressed by the European legislator (i.e., Big Data analytics, group privacy, social surveillance, trans-border data flows).


Last Update: 2014-05-30; Next Expected Update: 2015-03-31

As one of the main research results, it emerges that, in the aforementioned scenario, keeping the focus of data protection only on the individual and its decisions is no longer adequate. If legislators consider data protection as a fundamental right, it is necessary to reinforce its protection in order to make it effective and not conditioned by asymmetries between data subject and data controllers. This aim is implemented by the EU proposal by means of three different instruments, such as data protection impact assessment, privacy by design/by default solutions and the data minimization principle.
Part of the output of this research thread was included in a deliverable within the “Privacy” joint research activity in of the EINS Network of Excellence (p. 42).
Further analyses and reflections have been presented by Nexa Director of Privacy Alessandro Mantelero in selected workshops and conferences, amongst which the Fifth Northumbria Information Rights Conference (Gateshead, UK, May 1, 2013), and the Global Workshop on Data Uses and Impacts (London, UK, May 30-31, 2013), and the 9th International Conference on Internet, Law & Politics (Barcelona, Spain, June, 25-26, 2013) (see project page for a detailed list).

Other conferece papers include:
- Brown bag seminar, Oxford Internet Institute (Oxford, UK, June 5, 2013). Mantelero, “Big Data and the EU proposal on data protection: the crisis of the European paradigm?”
- 9th International Conference on Internet, Law & Politics (Barcelona, Spain, June, 25-26, 2013). Mantelero-Vaciago, “Big data and social control in the perspective of proposed EU reform on data protection”
- 2nd World Social Science Forum (Montréal, Canada, September, 18-19-20, 2013). Mantelero, “Big Data and Control over Information: From Big Players to the Citizens”
- Media & Learning 2013 (Flemish Ministry of Education, Brussels, Belgium, December, 12-13, 2013). Mantelero, “Teens, privacy and online security”
- 6th International Conference on Information Law and Ethics (Thessaloniki, Greece, May 30-31, 2014). Mantelero, “Rethinking E.U. data protection in the Big Data world”
- SCL Technology Law Futures Forum (Society for Computers and Law, London, UK, June 26-27, 2014) Workshop.

This research area was also tackled in relevant journal publications:
- Mantelero A. The EU Proposal for a General Data Protection Regulation and the roots of the 'right to be forgotten'. Computer Law and Security Review, (29) 2013, 229-235
- Mantelero A. Competitive value of data protection: the impact of data protection regulation on online behavior. International Data Privacy Law, (2013) (2013) 3 (4): 229-238
- Mantelero, A., Vaciago, G. The "Dark Side" of Big Data: Private and Public Interaction in Social Surveillance, How data collections by private entities affect governmental social control and how the EU reform on data protection responds. Computer Law Review International 2013, 161-169
- Mantelero, A., The future of consumer data protection in the E.U. Rethinking the “notice and consent” paradigm in the new era of predictive analytics. Computer Law and Security Review, (2014, forthcoming).

The EU data protection reform. Privacy & consumer protection

October 7, 2014
Salone d'Onore del Castello del Valentino
Politecnico di Torino